A security researcher says he broke into Hello Barbie, pictured above, to prove she could be hacked.

CNET

The song says Santa Claus sees you when you're sleeping and knows when you're awake. Is he the only one?

That's a growing question among parents after hackers and researchers have been running amok with Internet-connected toys in the past month. One intruder breached more than 11 million accounts tied to a toy from VTech called Learning Lodge, uncovering the names, birthdays and genders of more than 6.3 million children and scooping up their photographs to boot. As if that weren't creepy enough, a researcher revealed to reporters a security hole in Mattel's talking Hello Barbie, a $75 toy that talks to you like Siri from an iPhone. The flaw could allow hackers to steal personal information.

Forget "Elf on the Shelf," the story about a doll that reports to the North Pole with information on kids' behavior. With today's connected toys making their way to potentially millions of children for the holidays, spying on kids is no joking matter.

Mattel said no actual child's information has been stolen so far from Hello Barbie. ToyTalk, which creates the software that powers Hello Barbie, has a "bug bounty" program that will pay researchers to find flaws. "Mattel and ToyTalk have built in many privacy and security measures, and we are committed to providing the safest possible experience for parents and children," Mattel said.

Don't expect this to be the last we hear of toys being attacked. As more smarts are being put into everyday toys, researchers say hackers will find ways to break in and steal valuable information or worse, track our children while at play.

Companies are making two critical mistakes, according to security researchers. They store too much information, and then they don't adequately protect it. "If you are storing it, do it in a place where it's less likely to be exposed," said Mark Nunnikhoven, an expert at Trend Micro.

Security specialist Ed Skoudis said the issue boils down to the quality of the technology these companies are using.

"This stuff is really primitive from a security perspective," he said, speaking of the growing list of connected toys on the market, as well as other household devices that connect to the Internet, such as baby monitors and fitness trackers.

All these devices might seem like they're fresh off the set of the Jetsons, but they're actually rudimentary, he said. They often contain a simple computer and tend to come with default passwords that hackers can find online if they really want to. The result is that even a beginning hacker could break into them.

Skoudis is the head of Counter Hack, a company that looks for flaws in networks and connected devices, including toys. He also offers free online training focused on helping tech types learn about various aspects of cybersecurity. This year's theme just happens to be Internet-connected toys.

He hopes the training will help move more Internet-connected toys onto the nice list. "We need people to find these [flaws] and fix them," he said. "Otherwise they just sit there silently."

Updated 12/3 at 6:26 p.m. PT: This story has been changed to remove inaccurate information about the security research on Hello Barbie. Earlier reports that the flaws would allow hackers to listen in on children turned out to be incorrect.